Debunking PvZ user data's unknown flags
Well, I'm starting to become really interested in this PvZ hacking, so I'll just post my discoveries here. According to the user file format page on PvZ wiki there are some unknown addresses in the user data files. I'm starting to think that this might be related to unused contents in it, and I was kinda right. The first thing I discovered is the relations of address 0x38, 0x3C, 0x44, and 0x48. They seemed to be unknown addresses at first, but guess what. Since 0x40 stores the highest addressesyou did in Survival Endless, this comes to a suspicion, where those 4 addresses are actually related to the unused Survival Endless modes in Limbo Page. There are four unused Endless modes, and they're Day, Night, Fog, and Roof. Four unknown addresses, four unused Endless modes. Hmmmm... This is where things start to get pretty clear. The last eight addresses are related to the order of Survival flags, both in-game (as IDs), and in user data. 0x010 4 Flags attained at Survival: Day (out of 5) 0x014 4 Flags attained at Survival: Night (out of 5) 0x018 4 Flags attained at Survival: Pool (out of 5) 0x01C 4 Flags attained at Survival: Fog (out of 5) 0x020 4 Flags attained at Survival: Roof (out of 5) 0x024 4 Flags attained at Survival: Day (Hard) (out of 10) 0x028 4 Flags attained at Survival: Night (Hard) (out of 10) 0x02C 4 Flags attained at Survival: Pool (Hard) (out of 10) 0x030 4 Flags attained at Survival: Fog (Hard) (out of 10) 0x034 4 Flags attained at Survival: Roof (Hard) (out of 10) So the pattern is Day - Night - Pool - Fog - Roof, just like the normal order of levels. Now take a look at those unknown addresses orders. ?? - ?? - Pool - ?? - ?? The pattern would probably be the same as those eight addresses, but might not be for skeptics. I'm not a person who's easy to get skeptical, so I'll go with guessing the pattern. Day - Night - Pool - Fog - Roof. Then I decided to modify address 0x38 to 0xFF (255), 0x3C to 0xFE (254), 0x44 to 0xFD (253), and 0x48 to 0xFC (252), using a hex editor. Screenshot here . I switched to other user profile in PvZ (since it WON'T allow modifying the user file if it's being used in PvZ), saved the modified profile, and switched back to the previous user profile. After that, I looked at the limbo page to see if the flag counter shows up, and it does, with the correct values I gave. Screenshot . So probably back in the beta those endless survival modes were meant to exist in the survival page, thus explaining why there are some gaps in the Survival Endless modes. The gamemode ID itself is ordered correctly like the number of flags survived in the survival modes in the user file. ---- Another thing I found is whether or not the player has got trophies of hidden minigames and Zen Garden (sounds weird really, but you CAN actually get it via hex editing) There were some HUGE gaps of unknown addresses between the address of "Has Dr. Zomboss's Revenge minigame trophy" (address 0x98) and height of Tree of Wisdom in feet (address 0xD4). The unknown addresses are 0x9C to 0xD3. Again, this makes me think that this might be somewhat related to Limbo Page. My assumption is that the mini-game trophy addresses are ordered based by their IDs in-game. Now let's take a look at some game mode IDs available in PvZ. This is gathered from the hybrid minigames page. We'll just start off with Pogo Party, since it's the second to last minigame that's not hidden. Since address 0x94 is the address of whether or not the player has the Pogo Party trophy, and 0x98 is the address of whether the player has the Zomboss's Revenge trophy, this also made me wonder if those addresses are REALLY related to the order of the gamemode ID. So I decided to mess around with the address 0x9C, which is zero by default, and change it to 1. Saved the profile, and went back to Limbo Page. The result is that now the Art Challenge Wall-nut minigame now has a trophy. I experimented until the address 0xCC, where it's the address of Bungee Blitz trophy. At address 0xD0, something gets a bit weird. After setting it to 1, there seems to be no changes in the limbo page trophies. However, I saw that according to the ID ordering, after the Bungee Blitz, there's Squirrel, which is not even visible in Limbo Page. So I guess the address 0xD0 determines whether or not the player has the trophy in Squirrel. Address 0xD4 is pretty much the Tree of Wisdom's height, because it comes after Squirrel. They're all 4 bytes long, which means that they're 32-bit integers. Then there are addresses 0x128-0x19F, which are also unknown. Now since I got the logic of "order based by gamemode ID", I guessed that these are addresses of whether the player has got the Upsell and Intro trophy, which is true. Address 0x120 is All your brainz r belong to us puzzle trophy, while address 0x124 is the streak length at I, Zombie Endless. From gamemode ID: All your brainz > I, Zombie Endless > Upsell > Intro. As mentioned before, they're all 4 bytes long so the actual addresses that has to be uncovered should be only 0x128 and 0x12C. Two addresses. This leads to a mystery of what's the function of the remaining unknown addresses. So I changed those two addresses to 1 and sure enough I got the trophies of Upsell and Intro, which looks quite bizarre because they were meant to be some advertisements of some sort. The rest of the unknowns are normally set to zero. I've tried to set those to 1 but nothing happens. Guess they're SCRAPPED gamemodes too, but with a code that's entirely scrapped from the game? Who knows. The only thing is that attempting to go past 72 ALWAYS crashes the game, so I dont know if it's even related to a completely scrapped set of gamemodes or not. You can't even see the missing string (i.e. those that looks like ), because it crashes right after you start the gamemode. Maybe I should find a way to NOT make it crash. The verdict They seem to have patterns and whatnot, and here are some that I could explain. *Those addresses are always 4-bytes long, which means that they're 32-bit integers. *They're ordered based on the order of Gamemode IDs in-game. *Setting those addresses to 1 will tell the player that they have "finished" those gamemodes, and vice versa. *They're related to the Limbo Page. That's it for now. I'll update this pretty soon if I got some more stuff.